Proceedings of IC-BNMT20 10

A SELF LEARNING MODEL FOR DETECTING SIP

MALFORMED MESSAGE ATTACKS

Sohail Aziz, Mehroz Gul

Computer Science Department, National University of Computer and Emerging Sciences, Islamabad, Pakistan sohail_ aziz05@yahoo.com, mehrozdurrani@gmail.com

Abstract

This paper analyses the vulnerabilities exist in SIP protocol, and how these vulnerabilities can be exploited by attackers to attack the SIP based networks i.e VoIP and IMS [IP Multimedia Subsystem]. An attack tool is developed to exploit those vulnerabilities and a two-gram self learning solution is proposed to protect SIP based networks from these attacks.

Keywords: SIP malformed messages, self learning, SIP fuzzing , malformed message detection ,two­gram detection model, SIP attack.

1 Introduction

Fixed and mobile networks have gone through big transition in last 20 years. Over the years different standards were introduced for facilitating the users. Efforts have been made to lowering the cost while improving the efficiency of the communication. Now the invention ofVoIP and the standardization of IP multimedia subsystem (IMS) changes the definition of communication. V oIP lower the cost with improved voice quality while IMS promise to provides all the multimedia services independent of transport medium.

However these advanced technologies also open a new horizon for the attackers. Being open to internet , both VoIP and IMS are vulnerable to a large number of application layer attacks. Session Initiation Protocol (SIP) is the primary protocol for multimedia communications in VoIP and IMS. However defined SIP grammar left many loop holes which can be exploited by hackers and attackers to attack the SIP infrastructure.

In this paper we have proposed a "self-learning" solution to detect the anomalous SIP messages attacks. Our model learns the pattern of a normal SIP message from the benign traffic dataset and detects the anomalous SIP messages by computing its deviation from the model of normality. The rest of the paper is arranged as follows. Section two will describe the problem statement, then we

978-1-4244-6769-3/10/$26.00 ©2010 IEEE

711

will discuss the attack tool used for creating malformed messages , then we describe the test bed and detection framework and then conclude the paper with results section.

2 Problem statement

SIP is an application-layer signalling protocol for creating, modifying, and terminating multimedia sessions between one or more participants [1]. This is the primary control protocol used in VoIP and IMS for multimedia sessions. Both VoIP and IMS are open to internet and hence provides a new horizon for the attackers to drop off the SIP servers by exploiting the vulnerabilities exist in SIP protocol. SIP is a text based protocol like HTTP and hence is vulnerable to "malformed" message attacks. The tem "malformed" referred to any such SIP message which does not conform to the defined protocol standard. A malformed message attack can have severe effects on the SIP servers. Like flood attack , this can ultimately cause a Denial of Service (DoS) by crashing a SIP server or can cause significant application delays otherwise. Below are the possible effects , a malformed SIP message attack can cause.

2.1 Denial of Service (DoS)

The malformed SIP attack can fairly cause DoS by crashing the SIP parser or taking the SIP server to an undefined state. A server is considered to be crashed when its stops performing the expected functionality and also stops providing service to the user. Denial of Service (DoS) is the primary effect of session tear down. Specific-user DoS or wholesale DoS can occur, depending upon the target. A side effect of session tear down is that the proxy may not be aware of the calls being town down and will not have proper call records [2].

2.2 Application delays

Application delays are experienced by the legitimate users when the server's resources, CPU, bandwidth, memory are consumed in processing useless tasks. Significant application delays can be

caused by sending anomalous SIP message which contains unexpected message format and/or values. This can lead to the SIP server to an undefined state or at least keep it busy in processing anomalous messages.

2.3 Privacy compromise

The security of the user information is the major motive of SIP security realm. A malformed SIP attack namely SQL injection, can cause a major damage to the important database records. Such kind of attacks target database layer of the application which can cause manipulation, addition, deletion and table drops in the database. This kind of activity can result lethal information lose that tend to diminish the usability of SIP by miles.

3 Attack tool

There are many SIP fuzzer available publicly , however they only provide a static dumps of malformed SIP messages. These tools also , can't be used for mimic attacks. We have developed our own attack tool. Fiugure-l shows the basic modules of the attack tool. Our attack tool creates the anomalous messages which are the superset of the publicly available fuzzers. Its functions can be classified as following:

3.1 SIP message grammar

We will first discuss the different loop holes exist in SIP grammar and then explain how these can be exploited to create anomalous SIP messages.

Below are some ABNF (Augmented Backus-Naur Form) grammar definitions of different SIP fields.

Request-Line = Method SP Request-URI SP SIP-Version CRLF

Method = INVITEm / ACKm / OPTIONSm / BYEm / CANCELm /

REGISTERm / extension-method

transport-param = "transport=" ( "udp" / "tcp" /

"sctp" / "tls" / other-transport)

other-transport = token

token 1 *(alphanum / "-" / "." / "!" / "%" / "*,, /

"-" / "+" / "." / "'" / "�,, )

If we talk about Request-Line definition, Request­Line is defined by a method and method is defined as all legal SIP methods like INVITE ,ACK , OPTIONS etc plus an extension method which is undefined and can be exploited. Likewise other-transport in transport-param left open. These all undefined fields are kept for future use but this openness made SIP protocol open for malformed message attacks.

715

3.2 Malformed generation process

Malformed messages are generated by mutating different string sequences at all possible positions in a SIP message .. Below, a legal Request line of a SIP message is shown

INVITE sip:fast @opensip.com SIP/2.0

However following are also the valid SIP request lines according to the SIP grammar mentioned above.

Abcdefghijklmnopqrstuvwxyz sip:fast@opensip.com SIP/2.0

%s%d%x%l%s%d%x%l%s%d%x%l sip:fast@opensip.com SIP/2.0 \275\267\288\290\245 sip:fast@opensip.com SIP/2.0

These valid request lines can cause severe problems for a SIP parser in server and/or SIP client.A malformed message can be one of the following types. 1) Formatted string sequences-Formatted strings have special meaning in parsers and compilers. Large sequences of formatted strings can cause buffer overflow in the SIP server . 2)Ansi-Escape sequences-Ansi-Escape characters also have some special meaning in the computer system i.e \b \r .Large string sequences of such characters can cause buffer overflow and undefined state in servers. 3) UTF-8 sequences- UTF characters are used to define many different languages and also for special symbols. However there are some UTF sequences declared invalid. If those invalid utf-8 sequence mutate in different position in a SIP message, can cause problems for SIP parser which includes buffer overflow, undefined state and server crash. 4) Space/Null replication-Spaces and Nulls are valid characters used in SIP message. However their presence can be exploited as they act as token characters. Large space/null sequences can cause buffer overflow, undefined state , infinite loop and even server crash. 5) ASCII characters replication-Many ASCII characters acts as token in a SIP message.

From: "SUNRISE" <sip:fast@opensip.com:5065>;tag=as2cd43bI8

A sample from field of a SIP message is shown above. It can be seen that many ASCII characters are being used as token string some of them are { : , < , > , @ , ; }. Token strings are processed differently and are usually used as a condition in compilers and parsers. If these characters are replicated at the position of their occurrences , they can make parser busy in infinite loop or undefined state.

Above defined fuzz types are mutated in a normal SIP message. Formatted String Sequences, Ansi­Escape Sequences, UTF-8 Sequences, Space Replication, Null Replication are done by inserting these sequences at every possible index of a normal SIP message i.e.

n I Insert( St , Pi) i=O St := {Formatted strings , Null , Space , UTF-8, Ansi-Escape, Ascii} ; where n is the SIP message length , St is the one of the above defined fuzz types and Pi is the i-th index of SIP message. However ASCII mutation is done differently. If x is any ASCII character , it is mutated only where it originally occur.

255 n I I Insert( Xi , Pj) o i=O, j=O

where n is the total occurrences of an ASCII character Xi and Pj is the position of that particular ASCII character. Following is the example of the colon (:) mutation. From :::::::::::::::::: "SUNRISE" <sip::::::::::: :fast@opensip.com::::::::::::::5065>;tag =as2cd43bl8

4 Self learning intrusion detection system:

This section will explain the proposed "self learning" system for anomaly detection in SIP message . . The system is "self-learning", as it is able to automatically retrain itself in order to adapt changes in the SIP message content.

Figure 1. Self learning model

The system first go through a learning phase and learns the pattern of a normal SIP message of various kinds , once it passed through learning phase , it has enough information in Self database to detect whether the newly arrived message is a normal message or anomalous one. Figure 1 shows the modular structure of the intrusion detection system. Feature extractor extract the feature from a SIP message content and passed it to learning module. Learning module stores these features in as self database. Once the training phase

746

ends, anomaly detector uses the features stored in self database to compute the deviation from the newly arrived message's features and based on the deviation from the normal model it declare a message as normal or anomalous. Below are the different methods used for feature extraction and anomaly detection.

4.1 Feature extraction

Two Different methodologies are used for feature extraction. These are one-gram and two-gram.

4.1.1 One-gram

One-gram means moving the sliding window of size one , over the message content and recording the frequencies of each ASCII character. Figure 2 shows the vector space of all the ASCII character from 0 to 255 attained at the end of complete message.

'0' -m� � :m���m-�5' 1-Gram Frequency Model

Figure 2. One gram

4.1.2 Two-gram

Two gram is similar to one-gram except the window size is two at this time. Again Sliding window of size two is moved upon the SIP message content, by one and frequencies of ACII pairs are recorded. At the end of complete message scan , we would have a vector space of ASCII character's pair as given below.

'00'- �IP' ·····�DP ' ..... 62' .... ·60' _"255,255 ' ..... � � . . ..... "

c:b c:b 1 1

2-Gram Frequency Model

Figure 3. Two gram

4.2 Anomaly detection

Anomaly detector uses the following distance formulas to compute the distance between the features in self database and of newly arrived message.

4.2.1 Mahalanobis distance

Mahalanobis distance is most commonly used as a multivariate outlier statistics. It is computed by the following formula.

D 2 = (x -Il)' 2: -1(x -Il)

with 2: the covariance matrix of the distribution. D is called the Mahalanobis distance of the

point x to the mean Il of the distribution. In the figure 4 both A and B are at the same mahalanobis distance from centre o.

Figure 4. Mahalanobis distance

4.2.2 Character distance

This is the second method used for calculation the distance between the normal model and anomalous message. The total frequencies of all ASCII characters (in one-gram) and pair of ASCII characters (in two-gram) are recorded in learning phase. Distance between the ASCII characters of newly arrived message and that of learned model ,is computed by following formula.

D= F(X) - Max (F(X)) + stdev(F(X))

Where F(Xi) is the maximum frequency of the character X in self database and stdev(x) is the standard deviation of the frequency of X.

4.3 Strategy one one-gram

4.3.1 Feature extraction

The primary feature for this strategy is the frequency count of individual ASCII characters in a SIP message. First a SIP message is classified according to the message type e.g INVITE , CANCEL, BYE etc and then its number of individual ASCII character's frequency is recorded as shown in the figure 5. The example below explains how a string from a SIP message assigns a vectors space. Via: SIP/2.0/UDP , -� ... % .. � .... � .... - '"

1-GramFrequencyModel

Figure 5. Feature extraction

At the end of this phase , we will have number of histograms of different SIP types , representing the normal model of the ASCII characters in that particular message type.

4.3.2 Anomaly detection

1) Method-I (Character Distance)_In this approach, distances between individual ASCII characters of SIP message and of those in self

747

database, are computed using the character distance formula. A SIP message is declared as anomalous if its individual character's distance is more than a specific threshold value.

'8' Occurrence in Normal Msg 'B' in Anomalous Msg

Figure 6. Character distance

This diagram shows the domain of normality that is defined while training with different distance values with variable Dl, D2, D3 and D4. Node A,B and C defines the occurrence of the ASCIIs

2) Method-II (Mahalanobis Distance)-In this approach, the Mahalanobis distance of the individual messages is calculated with the self database. A SIP message is filtered on the basis of the fact that how much it deviate from the normal model. As some characters occur more frequently than others so different weights are assigned to the different characters. ASCII characters ASCII '0' -

'47' , '58' - '64 ', '91' - '96' and '123' - '255' are assigned ideally tuned weight based on how frequent they occur in the normal message. This methodology is very efficient for detecting minor fuzzing, because this method creates diversity of in between the distance of the normal and malicious packets with best results for anomaly detection.

A

8

M

Before Weight Implemenlation

Figure 7 Mahalanobis distance

A

N o

D1

After Weight Implementation

In the above diagrams the node A and B defined the mahalanobis distance domain for the normal packet distance in the training phase with distances D 1 and D2. Node M is the malicious packets that contains with a very minor fuzzing of special characters with distance D3 that makes it difficult to point it as a malicious one yet the application will allow this entity to move forward towards the SIP server as normal Packet . For solving this problem we introduces a methodology of assigning weights to the special characters that increased the diversity of M by distance D4. In Figure 7 we can see the after

8

applying the weight the malicious packet gets prominent as outlier and can be easily detected as malicious packet

4.4 Strategy two two-gram:

4.4.1 Feature extraction:

I Gram model never gave the required results that pushed us to go for the 2 Gram model. The calculation of 2 Gram model is same like the calculation we did in I Gram. The only difference is that while doing all the operations we take 2 alphabets as a single entity for the frequency count (and other operations) instead of single ASCII (in I-Gram Model). The example below explains how a string from a SIP message assigns a vectors space.

Via: SIP/2.0/UDP ........ .

2·Gram Frequency Model

Figure 8. Feature extraction

4.4.2 Anomaly detection

I) Method-I (Character Distance)-In this scheme, Distance of pair of characters (2-gram) is calculated with those of self database using character distance formula. There is not much differences with that of one-gram scheme except, the number of characters are now two instead on one (in one-gram).

2) Method-II (Mahalanobis Distance)-Likewise one-gram scheme , distance of the newly arrived message is calculated with those of self database but this time the number of characters are two instead of one. However it is to note that to calculate mahalanobis distance , a complete message's histogram is required , and only after a decision is made whether a message is anomalous or normal.

5 Results

In this section will discuss the detection accuracy and false positive analysis of the above mentioned techniques for SIP malformed messages .The goal of these approaches was to save the CPU processing time in useless malformed messages processing and also to not reject any normal SIP message.

5.1 Strategy one one-gram:

Figure 9 shows the true positive rate verses the false positive rate for both One-gram anomaly detection schemes i.e Character Distance and Mahalanobis Distance. X-axis represents the false

748

positive while the y-axis shows the true posItIve rate ranging from 0 to 100 percent. Initially the true positive rate for Mahalanobis Distance increases rapidly and reaches to 86 percent but after it stays there and varying threshold factor only increases the false alarm. In contrast , Character Distance scheme gives only 44 percent detection rate with lowest i.e 3 percent false alarm ,while varying threshold factor causes the false alarm increase. It can be concluded that the Mahalanobis Distance gives better true positive and false alarm rate in contrast to Character Distance. However 86 percent detection with 3 percent still is not a practical solution because in the diverse/realtime fragile SIP systems, 14 percent anomalous messages can cause severe application delays or even complete service failure. Three percent false positive means 30 legitimate requests would be rejected out of 1000 requests, which is simply intolerable for a commercial organization. To improve these results many techniques were applied e.g. different characters were assigned different weights based on their frequency in normal messages, but this could not bring considerable increase in true positive rate. Then we move on to the two-gram model for better detection and fewer false alams.

ROC curve

1.1 1

0.9 /' III > 0.8

:;:; 0.7 .U; 0.6 0 0.5 a.

III 0.4 2 0.3

I- 0.2 0.1

0

0 0.2 0.4 0.6 0.8 1 1.2

False Positive

Figure 9. ROC strategy-I ,One gram

5.2 Strategy two two-gram:

-- 1-gram

Character

Distance

-- 1-gram

Mahalanobis

Distance

Figure-IO shows the ROC curves for both two­gram anomaly detection schemes. It is apparent from the graph that the two-gram gave better results in terms of true positive and false positive , as compare to one-gram. It was expected because in these schemes, not only the character's frequency is recorded but the principle of locality is also exploited by recording the every single pair of the message's characters. However in contrast to one-gram, Character Distance anomaly detection gives better results than Mahalanobis Distance here. Detection rate is 99.9 percent with 0.0028 percent false alarms for the Character Distance while Mahalanobis Distance almost gives the same true positive rate but with 12 percent false alarms. Mahalanobis Distance anomaly detection also needs to go through the

whole message for computing deviation while Character Distance didn't. This also makes the Character Distance more efficient in terms of detection speed. Performance of this scheme IS

discussed in next section.

ROC curve

1.1 1 .1-,---------

0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 --!--------o. 1 :;::::;t:;:::::;=;:::::::;::=;:::::;:::::;::::=:::;� o I -0.1 0 O. o. o. o. o. o. o. o. O. 1 1.

1 2 3 4 5 6 7 8 9

False Positive

Figure 10. ROC , 2-gram

6 Performance evaluation:

2-gram

Character

Distance

--2-gram

rv1ahalanobis

Distance

Different anomaly detection schemes have been discussed above. In this section will discuss the processing overhead of the two-gram Character Distance anomaly detection scheme, as it gives best true positive-false alarm rate. As we know the self learning anomaly detection models mostly depends on the training dataset , and the number of training messages are directly proportional to the detection rate and inversely proportional to the detection speed. However our 2-gram anomaly detection model doesn't depends on the number of training messages for the detection speed. Once the model has learned on the given number of benign messages , it gives almost constant detection time for any anomalous message detection that is 0.3184 milli seconds. Figure-II shows the detection rate for the varying number of training messages. X-axis shows the number of messages while the y-axis shows the detection rate for two-gram Character Distance anomaly detection scheme. It can be observed that the detection rate continuously increasing as the number of training messages increase. It starts from 99.95 at 50 training messages and reaches at 99.9 percent at 350 training messages.

---1.0001

" 0.9999 / �

0.9998 / c: / 1- True Positve I .2

'g 0.9997

/ � 0.9996

/ 0.9995

0.9994

0 100 200 300 400

No of Training Messages

Figure 11. Two-gram character distancetraining size vs detection rate

Figure-12 shows the training time for the varying number of training messages. The time shown here

749

is computed over a system consist of dual core 2 Giga Hz processor and 2GB ram , running Microsoft Windows Vista. It almost take 28 milli seconds to process a SIP message in training phase while once the training phase ends , it takes average of 0.3184 milli seconds to detect variety of malformed messages.

12000 VI

"C 10000 c:: 0 <J 8000 '" VI .- 6000 E

4000 c::

'" 2000

/ ) 1-- Trainig Tirre 1

/' /

E I- 0

0 1 00 200 300 400

No of Trainig Messages

Figure 12. Gram character distancetraining size vs time

References

[1] 1. Rosenberg, H. Schulzrinne, G. Camarillo, A.

Johnston,J. Peterson, R. Spark, M. Handley, E.

Schooler, Session Initiation Protocol, RFC 3261,

June 2002.

[2] Mark Collier ,Basic Vulnerability Issues for SIP

Security, mark. collier@securelogix.com.

[3] The IMS: IP Multimedia Concepts and Services" by Miikka Poikselka, Aki Niemi, Hisham

Khartabil, Georg Mayer (John Wiley & Sons)

2006

[4] Rfc 3261 , www.ietforglrfclrfc3261.

[5] ref [Sip _ Security030051] session tear down effect

[6] Ehlert, S. and Zhang, G. and Geneiatakis, D. and

Kambourakis, G. and Dagiuklas, T. and Markl, J.

and Sisalem, D., Two layer Denial of Service

prevention on SIP VoIP infrastructures,

Computer Communications,2008

[7] Geneiatakis, D. and Dagiuklas, T. and

Lambrinoudakis, C. and Kambourakis, G. and

Gritzalis, S, "Novel protecting mechanism for

SIP-based infrastructure against malformed

message attacks: Performance evaluation study",

Proc. of the 5th International Conference on Communication Systems, Networks and Digital

Signal Processing (CSNDSP'06), 2006.

[8] Geneiatakis, D. and Kambourakis, G. and

Lambrinoudakis, C. and Dagiuklas, T. and

Gritzalis, S," A framework for protecting a SIP­

based infrastructure against malformed message

attacks", Computer Networks, vol 51 , NO 1O,pp.

2580-2593, 2007

[9] www.ee.oulu.fi/research/ouspg/protos/testing/cO

7/sip

[10] http://sourceforge.net/proj ects/voiperi

[11] http://www.infiltrated.net/asteroid!